b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Treasury Inspector General for Tax\n               Administration \xe2\x80\x93 Federal Information Security\n               Management Act Report for Fiscal Year 2014\n\n\n\n                                     September 23, 2014\n\n                             Reference Number: 2014-20-090\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nTREASURY INSPECTOR GENERAL FOR                             \xef\x82\xb7   Contractor Systems.\nTAX ADMINISTRATION \xe2\x80\x93 FEDERAL                               \xef\x82\xb7   Security Capital Planning.\nINFORMATION SECURITY\nMANAGEMENT ACT REPORT FOR                              Four security program areas were not fully\nFISCAL YEAR 2014                                       effective due to one or more program attributes\n                                                       that were not met:\n                                                           \xef\x82\xb7   Continuous Monitoring Management.\nHighlights                                                 \xef\x82\xb7   Incident Response and Reporting.\nFinal Report Issued on                                     \xef\x82\xb7   Security Training.\nSeptember 23, 2014                                         \xef\x82\xb7   Remote Access Management.\n\nHighlights of Reference Number: 2014-20-090            Two security program areas did not meet the\nto the Department of the Treasury, Office of the       level of performance specified due to the\nInspector General, Assistant Inspector General         majority of the attributes not being met:\nfor Audit.\n                                                           \xef\x82\xb7   Configuration Management.\nIMPACT ON TAXPAYERS                                        \xef\x82\xb7   Identity and Access Management.\nThe Federal Information Security Management            To meet the expected level of performance for\nAct of 2002 (FISMA) was enacted to strengthen          Configuration Management, the IRS needs to\nthe security of information and systems within         improve enterprise-wide processes for\nFederal Government agencies. The IRS collects          assessing configuration settings and\nand maintains a significant amount of personal         vulnerabilities through automated scanning,\nand financial information on each taxpayer. As         timely remediating scan result deviations, timely\ncustodians of taxpayer information, the IRS has        installing software patches, and controlling\nan obligation to protect the confidentiality of this   changes to hardware and software\nsensitive information against unauthorized             configurations.\naccess or loss.\n                                                       To meet the expected level of performance\nWHY TIGTA DID THE AUDIT                                for Identity and Access Management, the IRS\n                                                       needs to fully implement unique user\nAs part of the FISMA legislation, the Offices of       identification and authentication that complies\nInspectors General are required to perform an          with Homeland Security Presidential\nannual independent evaluation of each Federal          Directive-12, ensure that users are only granted\nagency\xe2\x80\x99s information security programs and             access based on needs, ensure that user\npractices. This report presents the results of         accounts are terminated when no longer\nTIGTA\xe2\x80\x99s FISMA evaluation of the IRS for                required, and control the improper use of shared\nFiscal Year 2014.                                      accounts.\nWHAT TIGTA FOUND                                       WHAT TIGTA RECOMMENDED\nBased on this year\xe2\x80\x99s FISMA evaluation,                 TIGTA does not include recommendations as\nfive of the 11 security program areas met              part of its annual FISMA evaluation and reports\nthe performance metrics specified by the               only on the level of performance achieved by the\nDepartment of Homeland Security\xe2\x80\x99s Fiscal               IRS using the guidelines issued by the\nYear 2014 Inspector General Federal                    Department of Homeland Security for the\nInformation Security Management Act                    applicable FISMA evaluation period.\nReporting Metrics:\n    \xef\x82\xb7   Risk Management.\n    \xef\x82\xb7   Plan of Action and Milestones.\n    \xef\x82\xb7   Contingency Planning.\n\x0c                                                    DEPARTMENT OF THE TREASURY\n                                                          WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                 September 23, 2014\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n\n FROM:                           Michael E. McKenney\n                                 Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Treasury Inspector General for Tax\n                                 Administration \xe2\x80\x93 Federal Information Security Management Act\n                                 Report for Fiscal Year 2014 (Audit # 201420001)\n\n This report presents the results of the Treasury Inspector General for Tax Administration\xe2\x80\x99s\n Federal Information Security Management Act1 evaluation of the Internal Revenue Service for\n Fiscal Year 2014. The Act requires Federal agencies to have an annual independent evaluation\n performed of their information security programs and practices and to report the results of the\n evaluations to the Office of Management and Budget.\n The report was forwarded to the Treasury Inspector General for consolidation into a report issued\n to the Department of the Treasury Chief Information Officer. Copies of this report are also being\n sent to the IRS managers affected by the report results.\n If you have any questions, please contact me or Kent Sagara, Acting Assistant Inspector General\n for Audit (Security and Information Technology Services).\n\n\n\n\n 1\n     Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                   Information Security Management Act Report for Fiscal Year 2014\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          The Internal Revenue Service\xe2\x80\x99s Information Security Program\n          Generally Complies With the Federal Information Security\n          Management Act, but Improvements Are Needed in\n          Configuration Management and Identity and Access Management ............. Page 3\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 19\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 20\n          Appendix IV \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security-Related Reports Issued During the\n          Fiscal Year 2014 Evaluation Period ............................................................. Page 21\n\x0c             Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n          Information Security Management Act Report for Fiscal Year 2014\n\n\n\n\n                            Abbreviations\n\nCIO                  Chief Information Officer\nDHS                  Department of Homeland Security\nFCD1                 Federal Continuity Directive 1\nFIPS                 Federal Information Processing Standards\nFISMA                Federal Information Security Management Act\nFY                   Fiscal Year\nGAO                  Government Accountability Office\nHSPD-12              Homeland Security Presidential Directive-12\nIP                   Internet Protocol\nIRS                  Internal Revenue Service\nISCM                 Information Security Continuous Monitoring\nIT                   Information Technology\nNIST                 National Institute of Standards and Technology\nOIG                  Office of the Inspector General\nOMB                  Office of Management and Budget\nPIV                  Personal Identity Verification\nPOA&M                Plan of Action and Milestones\nSCAP                 Security Content Automation Protocol\nSP                   Special Publication\nTIGTA                Treasury Inspector General for Tax Administration\nUS-CERT              United States Computer Emergency Response Team\nUSGCB                United States Government Configuration Baseline\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                   Information Security Management Act Report for Fiscal Year 2014\n\n\n\n\n                                              Background\n\nThe Federal Information Security Management Act (FISMA) of 20021 was enacted to strengthen\nthe security of information and systems within Federal agencies. The FISMA requires Federal\nagencies to develop, document, and implement an agency-wide information security program\nthat provides security for the information and information systems that support the operations\nand assets of the agency, including those provided or managed by another agency, contractor, or\nother source.\nThe FISMA requires the Office of Management and Budget (OMB) to develop and oversee the\nimplementation of policies, principles, standards, and guidelines on information security that are\ncommensurate with the risk and magnitude of the possible harm to Federal systems or\ninformation. To ensure uniformity in this process, the FISMA requires the National Institute of\nStandards and Technology (NIST) to prescribe standards and guidelines pertaining to Federal\ninformation systems. The FISMA also charges the OMB with producing an annual report to\nkeep Congress apprised of Federal progress in increasing information security.\nAgency heads are responsible for complying with the requirements of FISMA and related OMB\npolicies and NIST procedures, standards, and guidelines. In addition, the FISMA requires\nagencies to have an annual independent evaluation performed of their information security\nprograms and practices and to report the evaluation results to the OMB. The FISMA states that\nthe independent evaluation is to be performed by the agency Inspector General or an independent\nexternal auditor as determined by the Inspector General.\nIn July 2010, OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and\nActivities of the Executive Office of the President and the Department of Homeland Security\n(DHS), expanded the role of the DHS in regard to the operational aspects of Federal agency\ncybersecurity and information systems that fall within FISMA requirements. The DHS prepares\nthe security metrics to assist the Federal agencies and the Inspectors General in evaluating\nagency progress in achieving compliance with Federal security standards.\nFISMA oversight of the Department of the Treasury is performed by two distinct Inspector\nGeneral offices: the Treasury Inspector General for Tax Administration (TIGTA) and the\nTreasury Office of the Inspector General (OIG). The TIGTA is responsible for oversight of the\nInternal Revenue Service (IRS), while the Treasury OIG is responsible for all other Treasury\nbureaus. The Treasury OIG has contracted with KPMG LLP to perform the FISMA evaluation\nof the non-IRS bureaus. The TIGTA will issue its final report with the results of its evaluation of\nthe IRS to the Treasury OIG, which will then combine the results for all the Treasury bureaus\ninto one report for the OMB.\n\n1\n    Title III of the E-Government Act of 2002, Pub. L. No. 107-374, 116 Stat. 2899.\n                                                                                            Page 1\n\x0c                 Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n              Information Security Management Act Report for Fiscal Year 2014\n\n\n\nThe IRS collects and maintains a significant amount of personal and financial information on\neach taxpayer. As custodians of taxpayer information, the IRS is responsible for implementing\nappropriate security controls to protect the confidentiality of this sensitive information against\nunauthorized access or loss.\nThis review was performed at, and with information obtained from, the IRS Information\nTechnology organization\xe2\x80\x99s Office of Cybersecurity in New Carrollton, Maryland, during the\nperiod May through August 2014. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                             Page 2\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2014\n\n\n\n\n                                      Results of Review\n\nThe Internal Revenue Service\xe2\x80\x99s Information Security Program\nGenerally Complies With the Federal Information Security\nManagement Act, but Improvements Are Needed in Configuration\nManagement and Identity and Access Management\nTo assist the Inspectors General in evaluating Federal agencies\xe2\x80\x99 compliance with the FISMA, the\nDHS issued the Fiscal Year (FY) 2014 Inspector General Federal Information Security\nManagement Act Reporting Metrics on December 2, 2013, which specified 11 information\nsecurity program areas and listed specific attributes within each area for evaluation. The\n11 information security program areas are continuous monitoring management, configuration\nmanagement, identity and access management, incident and response reporting, risk\nmanagement, security training, plan of action and milestones, remote access management,\ncontingency planning, contractor systems, and security capital planning.\nOverall, the IRS has established an information security program and related practices that cover\nthe 11 FISMA program areas. However, based on our FY 2014 FISMA evaluation, two of the\nprogram areas, Configuration Management and Identity and Access Management, did not meet\napplicable FISMA requirements due to the majority of the program attributes specified by the\nDHS guidelines not being met. We also identified improvements needed in five other FISMA\nprogram areas.\nBased on our FY 2014 FISMA evaluation, five of the 11 security program areas met the\nperformance metrics specified in the DHS guidelines:\n    \xef\x82\xb7    Risk Management.2\n    \xef\x82\xb7    Plan of Action and Milestones.\n    \xef\x82\xb7    Contingency Planning.\n    \xef\x82\xb7    Contractor Systems.\n    \xef\x82\xb7    Security Capital Planning.\n\n\n\n\n2\n Although the IRS met the performance metrics specified by the DHS for Risk Management, TIGTA found\ndeficiencies with the IRS\xe2\x80\x99s risk-based decisions process that were not in alignment with policy. Specifically, we\nfound that not all risk-based decisions are adequately documented and tracked.\n                                                                                                             Page 3\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2014\n\n\n\nFour security program areas were not fully effective due to one or more DHS guideline program\nattributes that were not met:\n    \xef\x82\xb7   Continuous Monitoring Management.\n        The IRS has not yet implemented its Information Security Continuous Monitoring\n        (ISCM) strategy, but stated that it is fully participating in the DHS\xe2\x80\x99s Continuous\n        Diagnostics and Mitigation Program to comply with the OMB M-14-033 mandate to\n        implement ISCM and is in the process of determining its final toolset to meet the\n        program requirements.\n    \xef\x82\xb7   Incident Response and Reporting.\n        The IRS did not always report incidents involving Personally Identifiable Information to\n        the U.S. Computer Emergency Response Team (US-CERT) within established time\n        frames.\n    \xef\x82\xb7   Security Training.\n        The IRS has not yet fully implemented a process for identifying and tracking contractors\n        who are required to complete specialized training, but stated that it continues to make\n        progress and is working to incorporate a clause into contracts that requires contractors to\n        complete and record such training.\n    \xef\x82\xb7   Remote Access Management.\n        The IRS has not fully implemented unique user identification and authentication that\n        complies with Homeland Security Presidential Directive-12 (HSPD-12).\nTwo security program areas, Configuration Management and Identity and Access Management,\ndid not meet the level of performance specified by the DHS guidelines due to the majority of the\nspecified attributes not being met:\n    \xef\x82\xb7   Configuration Management.\n        To meet the expected level of performance for Configuration Management, the IRS needs\n        to improve enterprise-wide processes for assessing configuration settings and\n        vulnerabilities through automated scanning, timely remediating scan result deviations,\n        timely installing software patches, and controlling changes to hardware and software\n        configurations.\n\n\n\n\n3\n OMB, OMB Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems\n(Nov. 2013).\n                                                                                                Page 4\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2014\n\n\n\n    \xef\x82\xb7   Identity and Access Management.\n        To meet the expected level of performance for Identity and Access Management, the IRS\n        needs to fully implement unique user identification and authentication that complies with\n        HSPD-12, ensure that users are only granted access based on needs, ensure that user\n        accounts are terminated when no longer required, and control the improper use of shared\n        accounts.\nUntil the IRS takes steps to improve its security program deficiencies and fully implements all\n11 security program areas required by the FISMA, taxpayer data will remain vulnerable to\ninappropriate use, modification, or disclosure, possibly without being detected.\nFigure 1 presents TIGTA\xe2\x80\x99s detailed results for the 11 security program areas in response to the\nDHS\xe2\x80\x99s FY 2014 Inspector General Federal Information Security Management Act Reporting\nMetrics.4 TIGTA\xe2\x80\x99s results will be consolidated with the Treasury OIG\xe2\x80\x99s results of non-IRS\nbureaus and reported to the OMB.\n        Figure 1: TIGTA\xe2\x80\x99s Responses to the DHS\xe2\x80\x99s FY 2014 Inspector General\n           Federal Information Security Management Act Reporting Metrics\n\n1: Continuous Monitoring Management\n\nStatus of Continuous             1.1. Has the organization established an enterprise-wide continuous monitoring\nMonitoring                            program that assesses the security state of information systems that is\nManagement Program         Yes        consistent with FISMA requirements, OMB policy, and applicable NIST\n[check one: Yes or No]                guidelines? Besides the improvement opportunities that may have been\n                                      identified by the OIG, does the program include the following attributes?\xc2\xa0\n\n                                      1.1.1. Documented policies and procedures for continuous monitoring.\n                           Yes\n                                      (NIST SP 800-53: CA-7)\n\n                                      1.1.2. Documented strategy for information security continuous monitoring.\n                           Yes\n                                      (ISCM)\n\n                                      1.1.3. Implemented ISCM for information technology assets.\n                                      TIGTA Comments: The IRS has not yet implemented its ISCM strategy,\n                           No         but it stated that it is fully participating in the DHS\xe2\x80\x99s Continuous Diagnostics\n                                      and Mitigation Program to comply with the OMB M-14-03 mandate and is in\n                                      the process of determining its final toolset to meet the program requirements.\n\n                           Yes        1.1.4. Evaluate risk assessments used to develop their ISCM strategy.\n\n\n\n\n4\n Many abbreviations in this matrix are used as presented in the original document and are not defined therein.\nHowever, we have provided the definitions in the Abbreviations page after the Table of Contents of this report.\n\n                                                                                                              Page 5\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                    1.1.5. Conduct and report on ISCM results in accordance with their ISCM\n                                    strategy.\n\n                          No        TIGTA Comments: The IRS has not yet implemented its ISCM strategy,\n                                    but it stated that it is fully participating in the DHS\xe2\x80\x99s Continuous Diagnostics\n                                    and Mitigation Program to comply with the OMB M-14-03 mandate and is in\n                                    the process of determining its final toolset to meet the program requirements.\n\n                                    1.1.6. Ongoing assessments of security controls (system-specific, hybrid, and\n                          Yes       common) that have been performed based on the approved continuous\n                                    monitoring plans. (NIST SP 800-53, NIST SP800-53A)\n\n                                    1.1.7. Provides authorizing officials and other key system officials with\n                                    security status reports covering updates to security plans and security\n                          Yes       assessment reports, as well as a common and consistent POA&M program\n                                    that is updated with the frequency defined in the strategy and/or plans.\n                                    (NIST SP 800-53, 800-53A)\n\n                                1.2. Please provide any additional information on the effectiveness of the\n                                     organization\xe2\x80\x99s Continuous Monitoring Management Program that was not\n                                     noted in the questions above.\n\n2: Configuration Management\n\nStatus of Configuration         2.1. Has the organization established a security configuration management\nManagement Program                   program that is consistent with FISMA requirements, OMB policy, and\n[check one: Yes or No]    No         applicable NIST guidelines? Besides the improvement opportunities that may\n                                     have been identified by the OIG, does the program include the following\n                                     attributes?\xc2\xa0\n                          Yes       2.1.1. Documented policies and procedures for configuration management.\n                          Yes       2.1.2. Defined standard baseline configurations.\n                                    2.1.3. Assessments of compliance with baseline configurations.\n                                    TIGTA Comments: The IRS has not deployed automated mechanisms to\n                          No        centrally manage, apply, and verify baseline configuration settings and\n                                    produce FISMA compliance reports using the NIST-defined Security Content\n                                    Automation Protocol (SCAP) format for all of its IT assets.\n                                    2.1.4. Process for timely (as specified in organization policy or standards)\n                                    remediation of scan result deviations.\n                          No        TIGTA Comments: The IRS has not yet fully implemented configuration\n                                    baseline scanning tools and processes on all systems to ensure timely\n                                    remediation of scan result deviations.\n                                    2.1.5. For Windows-based components, USGCB secure configuration\n                          Yes       settings are fully implemented and any deviations from USGCB baseline\n                                    settings are fully documented.\n\n                                                                                                            Page 6\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2014\n\n\n\n               2.1.6. Documented proposed or actual changes to the hardware and software\n               configurations.\n      No       TIGTA Comments: The IRS has not yet fully implemented configuration\n               and change management controls to ensure that proposed or actual changes to\n               hardware and software configurations are documented and controlled.\n               2.1.7. Process for the timely and secure installation of software patches.\n\n      No       TIGTA Comments: The IRS has not implemented an adequate\n               enterprise-wide process to ensure timely installation of software patches on all\n               platforms.\n\n               2.1.8. Software assessing (scanning) capabilities are fully implemented.\n               (NIST SP 800-53: RA-5, SI-2)\n      No\n               TIGTA Comments: Monthly software assessment vulnerability scans are\n               not performed on all systems.\n               2.1.9. Configuration-related vulnerabilities, including scan findings, have\n               been remediated in a timely manner, as specified in organization policy or\n               standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)\n\n      No       TIGTA Comments: The IRS has not yet fully implemented\n               configuration-related vulnerability scanning tools and processes on all\n               systems to ensure timely remediation of scan result deviations. Also, IRS\n               processes to share vulnerability information with system owners and\n               administrators are still under development.\n               2.1.10. Patch management process is fully developed, as specified in\n               organization policy or standards. (NIST SP 800-53: CM-3, SI-2)\n      No       TIGTA Comments: The IRS has not implemented an adequate\n               enterprise-wide process to ensure timely installation of software patches on all\n               platforms.\n\n           2.2. Please provide any additional information on the effectiveness of the\n                organization\xe2\x80\x99s Configuration Management Program that was not noted in the\n                questions above.\n           TIGTA Comments: The IRS intends to create and deploy a standard change\n           management process for its Information Technology organization, supported by an\n           integrated change management system called the Enterprise Configuration\n           Management System.\n           2.3. Does the organization have an enterprise deviation handling process and is it\n                integrated with the automated capability?\n      No   TIGTA Comments: The IRS has not yet implemented its ISCM strategy in order\n           to accomplish an enterprise deviation handling process that is integrated with an\n           automated capability.\n\n\n\n                                                                                      Page 7\n\x0c                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                 Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                   2.3.1. Is there a process for mitigating the risk introduced by those\n                                   deviations?\n                         No        TIGTA Comments: The IRS has not yet implemented its ISCM strategy in\n                                   order to accomplish an enterprise deviation handling process that is integrated\n                                   with an automated capability.\n\n3: Identity and Access Management\n\nStatus of Identity and         3.1. Has the organization established an identity and access management program\nAccess Management                   that is consistent with FISMA requirements, OMB policy, and applicable\nProgram [check one:      No         NIST guidelines and that identifies users and network devices? Besides the\nYes or No]                          improvement opportunities that may have been identified by the OIG, does\n                                    the program include the following attributes?\xc2\xa0\n                                   3.1.1. Documented policies and procedures for account and identity\n                         Yes\n                                   management. (NIST SP 800-53: AC-1)\n                                   3.1.2. Identifies all users, including Federal employees, contractors, and\n                                   others who access organization systems. (NIST SP 800-53: AC-2)\n                                   TIGTA Comments: Users are not uniquely identified and authenticated on\n                         No        all IRS systems. Also, the IRS has not fully implemented unique user\n                                   identification and authentication that complies with HSDP-12. In addition,\n                                   nine of the 10 systems we reviewed did not have the NIST SP 800-53 AC-2\n                                   security control fully in place.\n                                   3.1.3. Identifies when special access requirements (e.g., multifactor\n                                   authentication) are necessary.\n                         No\n                                   TIGTA Comments: The IRS has not fully implemented multifactor\n                                   authentication in compliance with HSPD-12.\n                                   3.1.4. If multifactor authentication is in use, it is linked to the organization\xe2\x80\x99s\n                                   PIV program where appropriate. (NIST SP 800-53: IA-2)\n\n                         No        TIGTA Comments: The IRS has not fully deployed multifactor\n                                   authentication via the use of an HSPD-12 PIV card for all users for network\n                                   and local access to nonprivileged or privileged accounts as required by\n                                   HSPD-12.\n                                   3.1.5. Organization has planned for implementation of PIV for logical access\n                                   in accordance with Government policies. (HSPD-12, FIPS 201,\n                                   OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n                         No\n                                   TIGTA Comments: Considerable challenges still exist for the IRS in\n                                   achieving full implementation of PIV for logical access due to its legacy\n                                   environment and other factors.\n\n\n\n\n                                                                                                              Page 8\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2014\n\n\n\n                3.1.6. Organization has adequately planned for implementation of PIV for\n                physical access in accordance with Government policies. (HSPD-12,\n                FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11)\n\n      No        TIGTA Comments: During the FY14 FISMA evaluation period, the IRS\n                had not planned to implement PIV for physical access at all its facilities.\n                However, the IRS has informed us that it has prioritized the remaining\n                locations and developed a long-range plan, dependent on the availability of\n                funding.\n                3.1.7. Ensures that the users are granted access based on needs and\n                separation-of-duties principles.\n      No        TIGTA Comments: During FY 2013 and FY 2014, the GAO identified\n                users that had been granted more access than needed and instances where the\n                separation-of-duties principle was not enforced.\n\n                3.1.8. Identifies devices with IP addresses that are attached to the network\n                and distinguishes these devices from users. (For example: IP phones, faxes,\n                and printers are examples of devices attached to the network that are\n      No        distinguishable from desktops, laptops, or servers that have user accounts.)\n                TIGTA Comments: The IRS is still in the process of implementing\n                technical solutions and introducing automated tools to achieve full asset\n                discovery and asset management in accordance with policy.\n                3.1.9. Identifies all user and nonuser accounts. (Refers to user accounts that\n                are on a system. Data user accounts are created to pull generic information\n      Yes\n                from a database or a guest/anonymous account for generic login purposes.\n                They are not associated with a single user or a specific group of users.)\n                3.1.10. Ensures that accounts are terminated or deactivated once access is no\n                longer required.\n      No        TIGTA Comments: The IRS identified systems that do not have controls in\n                place to ensure that accounts are terminated or deactivated once access is no\n                longer needed.\n                3.1.11. Identifies and controls use of shared accounts.\n\n      No        TIGTA Comments: During FY 2013 and FY 2014, the GAO identified\n                improper use of shared accounts; for example, use of a generic administrator\n                accounts and passwords.\n            3.2. Please provide any additional information on the effectiveness of the\n            organization\xe2\x80\x99s Identity and Access Management that was not noted in the\n            questions above.\n\n\n\n\n                                                                                         Page 9\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2014\n\n\n\n4: Incident Response and Reporting\n\nStatus of Incident             4.1. Has the organization established an incident response and reporting program\nResponse and Reporting              that is consistent with FISMA requirements, OMB policy, and applicable\n                         Yes\nProgram [check one:                 NIST guidelines? Besides the improvement opportunities that may have been\nYes or No]                          identified by the OIG, does the program include the following attributes?\xc2\xa0\n                                   4.1.1. Documented policies and procedures for detecting, responding to, and\n                         Yes\n                                   reporting incidents. (NIST SP 800-53: IR-1)\n                         Yes       4.1.2. Comprehensive analysis, validation, and documentation of incidents.\n                                   4.1.3. When applicable, reports to US-CERT within established time frames.\n                                   (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19)\n                         No        TIGTA Comments: The IRS did not always report incidents involving\n                                   Personally Identifiable Information to the US-CERT within established time\n                                   frames.\n                                   4.1.4. When applicable, reports to law enforcement within established time\n                         Yes\n                                   frames. (NIST SP 800-61)\n\n                                   4.1.5. Responds to and resolves incidents in a timely manner, as specified in\n                         Yes       organization policy or standards, to minimize further damage.\n                                   (NIST SP 800-53, 800-61; OMB M-07-16, M-06-19)\n                                   4.1.6. Is capable of tracking and managing risks in a virtual/cloud\n                         Yes\n                                   environment, if applicable.\n                         Yes       4.1.7. Is capable of correlating incidents.\n                                   4.1.8. Has sufficient incident monitoring and detection coverage in\n                         Yes       accordance with Government policies. (NIST SP 800-53, 800-61;\n                                   OMB M-07-16, M-06-19)\n                               4.2. Please provide any additional information on the effectiveness of the\n                                    organization\xe2\x80\x99s Incident Management Program that was not noted in the\n                                    questions above.\n\n5: Risk Management\n\nStatus of Risk                 5.1. Has the organization established a risk management program that is consistent\nManagement Program                  with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                         Yes\n[check one: Yes or No]              Besides the improvement opportunities that may have been identified by the\n                                    OIG, does the program include the following attributes?\xc2\xa0\n                                   5.1.1. Documented policies and procedures for risk management, including\n                         Yes\n                                   descriptions of the roles and responsibilities of participants in this process.\n\n\n\n\n                                                                                                          Page 10\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2014\n\n\n\n             5.1.2. Addresses risk from an organization perspective with the development\n      Yes    of a comprehensive governance structure and organization-wide risk\n             management strategy as described in NIST SP 800-37, Rev.1.\n\n             5.1.3. Addresses risk from a mission and business process perspective and is\n      Yes    guided by the risk decisions from an organizational perspective, as described\n             in NIST SP 800-37, Rev. 1.\n             5.1.4. Addresses risk from an information system perspective and is guided\n      Yes    by the risk decisions from the organizational perspective and the mission and\n             business perspective, as described in NIST SP 800-37, Rev. 1.\n      Yes    5.1.5. Has an up-to-date system inventory.\n\n             5.1.6. Categorizes information systems in accordance with Government\n      Yes\n             policies.\n      Yes    5.1.7. Selects an appropriately tailored set of baseline security controls.\n\n             5.1.8. Implements the tailored set of baseline security controls and describes\n      Yes    how the controls are employed within the information system and its\n             environment of operation.\n             5.1.9. Assesses the security controls using appropriate assessment procedures\n             to determine the extent to which the controls are implemented correctly,\n      Yes\n             operating as intended, and producing the desired outcome with respect to\n             meeting the security requirements for the system.\n             5.1.10. Authorizes information system operation based on a determination of\n             the risk to organizational operations and assets, individuals, other\n      Yes\n             organizations, and the Nation resulting from the operation of the information\n             system and the decision that this risk is acceptable.\n\n             5.1.11. Ensures that information security controls are monitored on an\n             ongoing basis, including assessing control effectiveness, documenting\n      Yes    changes to the system or its environment of operation, conducting security\n             impact analyses of the associated changes, and reporting the security state of\n             the system to designated organizational officials.\n             5.1.12. Information system-specific risks (tactical), mission/business-specific\n      Yes    risks, and organizational-level (strategic) risks are communicated to\n             appropriate levels of the organization.\n             5.1.13. Senior officials are briefed on threat activity on a regular basis by\n      Yes\n             appropriate personnel (e.g., Chief Information Security Officer).\n             5.1.14. Prescribes the active involvement of information system owners and\n             common control providers, chief information officers, senior information\n      Yes\n             security officers, authorizing officials, and other roles as applicable in the\n             ongoing management of information system\xe2\x80\x93related security risks.\n\n\n\n\n                                                                                     Page 11\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                   5.1.15. Security authorization package contains system security plan, security\n                         Yes       assessment report, and POA&M in accordance with Government policies.\n                                   (NIST SP 800-18, 800-37)\n                                   5.1.16. Security authorization package contains accreditation boundaries,\n                         Yes       defined in accordance with Government policies, for organization information\n                                   systems.\n                               5.2. Please provide any additional information on the effectiveness of the\n                                    organization\xe2\x80\x99s Risk Management Program that was not noted in the questions\n                                    above.\n                               TIGTA Comments: TIGTA found deficiencies with the IRS\xe2\x80\x99s risk-based\n                               decisions process that were not in alignment with policy. Specifically, we found\n                               that not all risk-based decisions are adequately documented and tracked.\n\n6: Security Training\n\nStatus of Security             6.1. Has the organization established a security training program that is consistent\nTraining Program                    with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                         Yes\n[check one: Yes or No]              Besides the improvement opportunities that may have been identified by the\n                                    OIG, does the program include the following attributes?\xc2\xa0\n                                   6.1.1. Documented policies and procedures for security awareness training.\n                         Yes\n                                   (NIST SP 800-53: AT-1)\n\n                                   6.1.2. Documented policies and procedures for specialized training for users\n                         Yes\n                                   with significant information security responsibilities.\n                                   6.1.3. Security training content based on the organization and roles, as\n                         Yes\n                                   specified in organization policy or standards.\n                                   6.1.4. Identification and tracking of the status of security awareness training\n                         Yes       for all personnel (including employees, contractors, and other organization\n                                   users) with access privileges that require security awareness training.\n                                   6.1.5. Identification and tracking of the status of specialized training for all\n                                   personnel (including employees, contractors, and other organization users)\n                                   with significant information security responsibilities that require specialized\n                                   training.\n                         No        TIGTA Comments: The IRS has not yet fully implemented a process for\n                                   identifying and tracking contractors who are required to complete specialized\n                                   training, but it stated that it continues to make progress and is working to\n                                   incorporate a clause into contracts that requires contractors to complete and\n                                   record such training.\n\n                                   6.1.6. Training material for security awareness training contains appropriate\n                         Yes\n                                   content for the organization. (NIST SP 800-50, 800-53)\n\n\n\n                                                                                                           Page 12\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                            6.2. Please provide any additional information on the effectiveness of the\n                                 organization\xe2\x80\x99s Security Training Program that was not noted in the questions\n                                 above.\n\n7: Plan of Action & Milestones (POA&M)\n\nStatus of POA&M             7.1. Has the organization established a POA&M program that is consistent with\nProgram [check one:              FISMA requirements, OMB policy, and applicable NIST guidelines and\nYes or No]            Yes        tracks and monitors known information security weaknesses? Besides the\n                                 improvement opportunities that may have been identified by the OIG, does\n                                 the program include the following attributes?\xc2\xa0\n                                7.1.1. Documented policies and procedures for managing IT security\n                      Yes       weaknesses discovered during security control assessments and that require\n                                remediation.\n                      Yes       7.1.2. Tracks, prioritizes, and remediates weaknesses.\n\n                      Yes       7.1.3. Ensures that remediation plans are effective for correcting weaknesses.\n                      Yes       7.1.4. Establishes and adheres to milestone remediation dates.\n\n                                7.1.5. Ensures that resources and ownership are provided for correcting\n                      Yes\n                                weaknesses.\n                                7.1.6. POA&Ms include security weaknesses discovered during assessments\n                                of security controls and that require remediation (do not need to include\n                      Yes\n                                security weaknesses due to a risk-based decision to not implement a security\n                                control). (OMB M-04-25)\n                                7.1.7. Costs associated with remediating weaknesses are identified.\n                      Yes\n                                (NIST SP 800-53: PM-3; OMB M-04-25)\n                                7.1.8. Program officials report progress on remediation to the CIO on a\n                                regular basis, at least quarterly, and the CIO centrally tracks, maintains, and\n                      Yes\n                                independently reviews/validates the POA&M activities at least quarterly.\n                                (NIST SP 800-53: CA-5; OMB M-04-25)\n\n                            7.2. Please provide any additional information on the effectiveness of the\n                                 organization\xe2\x80\x99s POA&M Program that was not noted in the questions above.\n\n8: Remote Access Management\n\nStatus of Remote            8.1. Has the organization established a remote access program that is consistent\nAccess Management                with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                      Yes\nProgram [check one:              Besides the improvement opportunities that may have been identified by the\nYes or No]                       OIG, does the program include the following attributes?\xc2\xa0\n                                8.1.1. Documented policies and procedures for authorizing, monitoring, and\n                      Yes\n                                controlling all methods of remote access. (NIST SP 800-53: AC-1, AC-17)\n\n                                                                                                       Page 13\n\x0c   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\nInformation Security Management Act Report for Fiscal Year 2014\n\n\n\n                8.1.2. Protects against unauthorized connections or subversion of authorized\n      Yes\n                connections.\n\n                8.1.3. Users are uniquely identified and authenticated for all access.\n                (NIST SP 800-46, Section 4.2, Section 5.1)\n                TIGTA Comments: The IRS has not fully implemented unique user\n      No        identification and authentication that complies with HSPD-12. In addition,\n                system administrators of the virtual private network infrastructure and server\n                components do not use NIST-compliant multifactor authentication for local or\n                network access to privileged accounts.\n\n                8.1.4. Telecommuting policy is fully developed. (NIST SP 800-46,\n      Yes\n                Section 5.1)\n                8.1.5. If applicable, multifactor authentication is required for remote access.\n                (NIST SP 800-46, Section 2.2, Section 3.3)\n      No\n                TIGTA Comments: The IRS has not fully implemented multifactor\n                authentication that complies with HSPD-12.\n                8.1.6. Authentication mechanisms meet NIST SP 800-63 guidance on remote\n                electronic authentication, including strength mechanisms.\n      No\n                TIGTA Comments: The IRS has not fully implemented multifactor\n                authentication that complies with HSPD-12.\n                8.1.7. Defines and implements encryption requirements for information\n      Yes\n                transmitted across public networks.\n                8.1.8. Remote access sessions, in accordance to OMB M-07-16, are\n      Yes       timed-out after 30 minutes of inactivity, after which reauthentication is\n                required.\n                8.1.9. Lost or stolen devices are disabled and appropriately reported.\n      Yes\n                (NIST SP 800-46, Section 4.3; US-CERT Incident Reporting Guidelines)\n                8.1.10. Remote access rules of behavior are adequate in accordance with\n      Yes\n                Government policies. (NIST SP 800-53: PL-4)\n                8.1.11. Remote access user agreements are adequate in accordance with\n      Yes\n                Government policies. (NIST SP 800-46, Section 5.1; NIST SP 800-53: PS-6)\n            8.2. Please provide any additional information on the effectiveness of the\n                 organization\xe2\x80\x99s Remote Access Management that was not noted in the\n                 questions above.\n\n            8.3. Does the organization have a policy to detect and remove unauthorized\n      Yes\n                 (rogue) connections?\n\n\n\n\n                                                                                         Page 14\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2014\n\n\n\n9: Contingency Planning\n\nStatus of Contingency          9.1. Has the organization established an enterprise-wide business\nPlanning Program                    continuity/disaster recovery program that is consistent with FISMA\n[check one: Yes or No]   Yes        requirements, OMB policy, and applicable NIST guidelines? Besides the\n                                    improvement opportunities that may have been identified by the OIG, does\n                                    the program include the following attributes?\xc2\xa0\n                                   9.1.1. Documented business continuity and disaster recovery policy\n                         Yes       providing the authority and guidance necessary to reduce the impact of a\n                                   disruptive event or disaster. (NIST SP 800-53: CP-1)\n                                   9.1.2. The organization has incorporated the results of its system\xe2\x80\x99s Business\n                                   Impact Analysis into the analysis and strategy development efforts for the\n                         Yes\n                                   organization\xe2\x80\x99s Continuity of Operations Plan, Business Continuity Plan, and\n                                   Disaster Recovery Plan. (NIST SP 800-34)\n                                   9.1.3. Development and documentation of division, component, and IT\n                         Yes\n                                   infrastructure recovery strategies, plans, and procedures. (NIST SP 800-34)\n                         Yes       9.1.4. Testing of system-specific contingency plans.\n\n                                   9.1.5. The documented business continuity and disaster recovery plans are in\n                         Yes\n                                   place and can be implemented when necessary. (FCD1, NIST SP 800-34)\n                                   9.1.6. Development of test, training, and exercise programs. (FCD1,\n                         Yes\n                                   NIST SP 800-34, NIST SP 800-53)\n                                   9.1.7. Testing or exercising of business continuity and disaster recovery plans\n                         Yes\n                                   to determine effectiveness and to maintain current plans.\n                                   9.1.8. After-action report that addresses issues identified during\n                         Yes\n                                   contingency/disaster recovery exercises. (FDC1, NIST SP 800-34)\n                                   9.1.9. Systems that have alternate processing sites. (FCD1, NIST SP 800-34,\n                         Yes\n                                   NIST SP 800-53)\n                                   9.1.10. Alternate processing sites are not subject to the same risks as primary\n                         Yes\n                                   sites. (FCD1, NIST SP 800-34, NIST SP 800-53)\n                                   9.1.11. Backups of information that are performed in a timely manner.\n                         Yes\n                                   (FCD1, NIST SP 800-34, NIST SP 800-53)\n                         Yes       9.1.12. Contingency planning that considers supply chain threats.\n                               9.2. Please provide any additional information on the effectiveness of the\n                                    organization\xe2\x80\x99s Contingency Planning Program that was not noted in the\n                                    questions above.\n\n\n\n\n                                                                                                         Page 15\n\x0c                  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n               Information Security Management Act Report for Fiscal Year 2014\n\n\n\n10: Contractor Systems\n\nStatus of Contractor         10.1. Has the organization established a program to oversee systems operated on its\nSystems Program                    behalf by contractors or other entities, including organization systems and\n[check one: Yes or No]   Yes       services residing in the cloud external to the organization? Besides the\n                                   improvement opportunities that may have been identified by the OIG, does\n                                   the program include the following attributes?\xc2\xa0\n                                    10.1.1. Documented policies and procedures for information security\n                                    oversight of systems operated on the organization\xe2\x80\x99s behalf by contractors or\n                         Yes\n                                    other entities, including organization systems and services residing in a public\n                                    cloud.\n\n                                    10.1.2. The organization obtains sufficient assurance that security controls of\n                         Yes        such systems and services are effectively implemented and comply with\n                                    Federal and organization guidelines. (NIST SP 800-53: CA-2)\n\n                                    10.1.3. A complete inventory of systems operated on the organization\xe2\x80\x99s\n                                    behalf by contractors or other entities, including organization systems and\n                                    services residing in a public cloud.\n                                    TIGTA Comments: In FY 2014, the IRS maintained two\n                                    contractor-managed systems in the Treasury FISMA Information\n                         Yes        Management System (formerly, the Trusted Agent FISMA), which is the U.S.\n                                    Department of the Treasury\xe2\x80\x99s system for reporting FISMA data. The IRS\n                                    Contractor Security Assessments Office maintains a separate listing of\n                                    contractor sites that the IRS does not consider \xe2\x80\x9cFISMA-reportable,\xe2\x80\x9d but that\n                                    require annual security reviews because each handles or processes IRS\n                                    information. The IRS Contractor Security Assessments Office is responsible\n                                    for evaluating security controls at these contractor sites.\n                                    10.1.4. The inventory identifies interfaces between these systems and\n                         Yes\n                                    organization-operated systems. (NIST SP 800-53: PM-5)\n                                    10.1.5. The organization requires appropriate agreements\n                                    (e.g., Memorandums of Understanding, Interconnection Security Agreements,\n                         Yes\n                                    contracts, etc.) for interfaces between these systems and those that it owns and\n                                    operates.\n                         Yes        10.1.6. The inventory of contractor systems is updated at least annually.\n                                    10.1.7. Systems that are owned or operated by contractors or entities,\n                                    including organization systems and services residing in a public cloud, are\n                         Yes\n                                    compliant with FISMA requirements, OMB policy, and applicable NIST\n                                    guidelines.\n                               10.2. Please provide any additional information on the effectiveness of the\n                                     organization\xe2\x80\x99s Contractor Systems Program that was not noted in the\n                                     questions above.\n\n\n\n\n                                                                                                             Page 16\n\x0c                   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                Information Security Management Act Report for Fiscal Year 2014\n\n\n\n11: Security Capital Planning\n\nStatus of Security           11.1. Has the organization established a security capital planning and investment\nCapital Planning                   program for information security? Besides the improvement opportunities\n                         Yes\nProgram [check one:                that may have been identified by the OIG, does the program include the\nYes or No]                         following attributes?\xc2\xa0\n                                    11.1.1. Documented policies and procedures to address information security\n                         Yes\n                                    in the capital planning and investment control process.\n\n                                    11.1.2. Includes information security requirements as part of the capital\n                         Yes\n                                    planning and investment process.\n                                    11.1.3. Establishes a discrete line item for information security in\n                         Yes\n                                    organizational programming and documentation. (NIST SP 800-53: SA-2)\n\n                                    11.1.4. Employs a business case/Exhibit 300/Exhibit 53 to record the\n                         Yes\n                                    information security resources required. (NIST SP 800-53: PM-3)\n\n                                    11.1.5. Ensures that information security resources are available for\n                         Yes\n                                    expenditure as planned.\n\n                               11.2. Please provide any additional information on the effectiveness of the\n                                     organization\xe2\x80\x99s Security Capital Planning Program that was not noted in the\n                                     questions above.\nSource: Results of TIGTA\xe2\x80\x99s FY 2014 FISMA evaluation of the IRS.\n\n\n\n\n                                                                                                            Page 17\n\x0c                     Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                  Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                                                                     Appendix I\n\n           Detailed Objective, Scope, and Methodology\n\nThe objective of this independent evaluation was to assess the effectiveness of the IRS\xe2\x80\x99s\ninformation technology security program and practices for the period July 1, 2013, to June 30,\n2014. To accomplish our objective, we responded to the questions provided in the DHS FY 2014\nInspector General Federal Information Security Management Act Reporting Metrics, issued on\nDecember 2, 2013. The questions related to the following 11 security program areas:\n      1. Continuous Monitoring Management.\n      2. Configuration Management.\n      3. Identity and Access Management.\n      4. Incident Response and Reporting.\n      5. Risk Management.\n      6. Security Training.\n      7. Plan of Action and Milestones.\n      8. Remote Access Management.\n      9. Contingency Planning.\n      10. Contractor Systems.\n      11. Security Capital Planning.\nWe based our evaluation work, in part, on a representative subset of 10 major IRS information\nsystems. We used the system inventory contained within the Treasury FISMA Information\nManagement System1 of major applications and general support systems with a security classification\nof \xe2\x80\x9cModerate\xe2\x80\x9d or \xe2\x80\x9cHigh\xe2\x80\x9d as the population for this subset.\nWe also considered the results of TIGTA audits completed during the FY 2014 FISMA\nevaluation period, as listed in Appendix IV, as well as results from ongoing audits for which\ndraft reports were issued to the IRS by August 8, 2014.\nBased on our evaluative work, we indicated with a yes or no whether the IRS had achieved a\nsatisfactory level of performance for each security program area as well as each specific attribute\nlisted in the DHS FY 2014 Inspector General Federal Information Security Management Act\nReporting Metrics. The Treasury OIG will combine our results for the IRS with its results for\nthe non-IRS bureaus and submit the combined yes or no responses to the OMB.\n\n\n1\n    Formerly the Trusted Agent FISMA system.\n                                                                                             Page 18\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nMidori Ohno, Lead Auditor\nCindy Harris, Senior Auditor\nBret Hunter, Senior Auditor\nMary Jankowski, Senior Auditor\nLouis Lee, Senior Auditor\nEsther Wilson, Senior Auditor\n\n\n\n\n                                                                                     Page 19\n\x0c                Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n             Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Business Planning and Risk Management OS:CTO:SP:RM\n       Cybersecurity OS:CTO:C\n\n\n\n\n                                                                       Page 20\n\x0c              Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n           Information Security Management Act Report for Fiscal Year 2014\n\n\n\n                                                                            Appendix IV\n\n Treasury Inspector General for Tax Administration\n  Information Technology Security-Related Reports\nIssued During the Fiscal Year 2014 Evaluation Period\n\n 1. TIGTA, Ref. No. 2014-20-021, Used Information Technology Assets Are Being Properly\n    Donated; However, Disposition Procedures Need to Be Improved (April 2014).\n 2. TIGTA, Ref. No. 2014-20-016, Planning Is Underway for the Enterprise-Wide\n    Transition to Internet Protocol Version 6, but Further Actions Are Needed (Feb. 2014).\n 3. TIGTA, Ref. No. 2013-20-063, Improvements Are Needed to Ensure Successful\n    Development and System Integration for the Return Review Program (Jul. 2013).\n 4. TIGTA, Ref. No. 2013-20-089, Weaknesses in Asset Management Controls Leave\n    Information Technology Assets Vulnerable to Loss (Sept. 2013).\n 5. TIGTA, Ref. No. 2013-20-106, Automated Monitoring Is Needed for the Virtual\n    Infrastructure to Ensure Secure Configurations (Sept. 2013).\n 6. TIGTA, Ref. No. 2013-20-107, Full Compliance With Trusted Internet Connection\n    Requirements Is Progressing; However, Improvements Would Strengthen Security\n    (Sept. 2013).\n 7. TIGTA, Ref. No. 2013-20-108, Better Cost-Benefit Analysis and Security Measures Are\n    Needed for the Bring Your Own Device Pilot (Sept. 2013).\n 8. TIGTA, Ref. No. 2013-20-117, Improved Controls Are Needed to Ensure That All\n    Planned Corrective Actions for Security Weaknesses Are Fully Implemented to Protect\n    Taxpayer Data (Sept. 2013).\n 9. TIGTA, Ref. No. 2013-20-118, Foreign Account Tax Compliance Act: Improvements\n    Are Needed to Strengthen Systems Development Controls for the Foreign Financial\n    Institution Registration System (Sept. 2013).\n 10. TIGTA, Ref. No. 2013-20-125, Customer Account Data Engine 2 Database Deployment\n     Is Experiencing Delays and Increased Costs (Sept. 2013)\n 11. TIGTA, Ref. No. 2013-20-127, While Efforts Are Ongoing to Deploy a Secure\n     Mechanism to Verify Taxpayer Identities, the Public Still Cannot Access Their Tax\n     Account Information Via the Internet (Sept. 2013).\n\n\n                                                                                     Page 21\n\x0c'